cli/internal/cmd/updater/cmd.go
Snider f47e8211fb feat(mcp): add workspace root validation to prevent path traversal (#100)
* feat(mcp): add workspace root validation to prevent path traversal

- Add workspaceRoot field to Service for restricting file operations
- Add WithWorkspaceRoot() option for configuring the workspace directory
- Add validatePath() helper to check paths are within workspace
- Apply validation to all file operation handlers
- Default to current working directory for security
- Add comprehensive tests for path validation

Closes #82

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor: move CLI commands from pkg/ to internal/cmd/

- Move 18 CLI command packages to internal/cmd/ (not externally importable)
- Keep 16 library packages in pkg/ (externally importable)
- Update all import paths throughout codebase
- Cleaner separation between CLI logic and reusable libraries

CLI commands moved: ai, ci, dev, docs, doctor, gitcmd, go, monitor,
php, pkgcmd, qa, sdk, security, setup, test, updater, vm, workspace

Libraries remaining: agentic, build, cache, cli, container, devops,
errors, framework, git, i18n, io, log, mcp, process, release, repos

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* refactor(mcp): use pkg/io Medium for sandboxed file operations

Replace manual path validation with pkg/io.Medium for all file operations.
This delegates security (path traversal, symlink bypass) to the sandboxed
local.Medium implementation.

Changes:
- Add io.NewSandboxed() for creating sandboxed Medium instances
- Refactor MCP Service to use io.Medium instead of direct os.* calls
- Remove validatePath and resolvePathWithSymlinks functions
- Update tests to verify Medium-based behaviour

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix: correct import path and workflow references

- Fix pkg/io/io.go import from core-gui to core
- Update CI workflows to use internal/cmd/updater path

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* fix(security): address CodeRabbit review issues for path validation

- pkg/io/local: add symlink resolution and boundary-aware containment
  - Reject absolute paths in sandboxed Medium
  - Use filepath.EvalSymlinks to prevent symlink bypass attacks
  - Fix prefix check to prevent /tmp/root matching /tmp/root2

- pkg/mcp: fix resolvePath to validate and return errors
  - Changed resolvePath from (string) to (string, error)
  - Update deleteFile, renameFile, listDirectory, fileExists to handle errors
  - Changed New() to return (*Service, error) instead of *Service
  - Properly propagate option errors instead of silently discarding

- pkg/io: wrap errors with E() helper for consistent context
  - Copy() and MockMedium.Read() now use coreerr.E()

- tests: rename to use _Good/_Bad/_Ugly suffixes per coding guidelines
  - Fix hardcoded /tmp in TestPath to use t.TempDir()
  - Add TestResolvePath_Bad_SymlinkTraversal test

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* style: fix gofmt formatting

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

* style: fix gofmt formatting across all files

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-01 21:59:34 +00:00

220 lines
6.4 KiB
Go

package updater
import (
"fmt"
"os"
"runtime"
"github.com/host-uk/core/pkg/cli"
"github.com/spf13/cobra"
)
// Repository configuration for updates
const (
repoOwner = "host-uk"
repoName = "core"
)
// Command flags
var (
updateChannel string
updateForce bool
updateCheck bool
updateWatchPID int
)
func init() {
cli.RegisterCommands(AddUpdateCommands)
}
// AddUpdateCommands registers the update command and subcommands.
func AddUpdateCommands(root *cobra.Command) {
updateCmd := &cobra.Command{
Use: "update",
Short: "Update core CLI to the latest version",
Long: `Update the core CLI to the latest version from GitHub releases.
By default, checks the 'stable' channel for tagged releases (v*.*.*)
Use --channel=dev for the latest development build.
Examples:
core update # Update to latest stable release
core update --check # Check for updates without applying
core update --channel=dev # Update to latest dev build
core update --force # Force update even if already on latest`,
RunE: runUpdate,
}
updateCmd.PersistentFlags().StringVar(&updateChannel, "channel", "stable", "Release channel: stable, beta, alpha, or dev")
updateCmd.PersistentFlags().BoolVar(&updateForce, "force", false, "Force update even if already on latest version")
updateCmd.Flags().BoolVar(&updateCheck, "check", false, "Only check for updates, don't apply")
updateCmd.Flags().IntVar(&updateWatchPID, "watch-pid", 0, "Internal: watch for parent PID to die then restart")
_ = updateCmd.Flags().MarkHidden("watch-pid")
updateCmd.AddCommand(&cobra.Command{
Use: "check",
Short: "Check for available updates",
RunE: func(cmd *cobra.Command, args []string) error {
updateCheck = true
return runUpdate(cmd, args)
},
})
root.AddCommand(updateCmd)
}
func runUpdate(cmd *cobra.Command, args []string) error {
// If we're in watch mode, wait for parent to die then restart
if updateWatchPID > 0 {
return watchAndRestart(updateWatchPID)
}
currentVersion := cli.AppVersion
cli.Print("%s %s\n", cli.DimStyle.Render("Current version:"), cli.ValueStyle.Render(currentVersion))
cli.Print("%s %s/%s\n", cli.DimStyle.Render("Platform:"), runtime.GOOS, runtime.GOARCH)
cli.Print("%s %s\n\n", cli.DimStyle.Render("Channel:"), updateChannel)
// Handle dev channel specially - it's a prerelease tag, not a semver channel
if updateChannel == "dev" {
return handleDevUpdate(currentVersion)
}
// Check for newer version
release, updateAvailable, err := CheckForNewerVersion(repoOwner, repoName, updateChannel, true)
if err != nil {
return cli.Wrap(err, "failed to check for updates")
}
if release == nil {
cli.Print("%s No releases found in %s channel\n", cli.WarningStyle.Render("!"), updateChannel)
return nil
}
if !updateAvailable && !updateForce {
cli.Print("%s Already on latest version (%s)\n",
cli.SuccessStyle.Render(cli.Glyph(":check:")),
release.TagName)
return nil
}
cli.Print("%s %s\n", cli.DimStyle.Render("Latest version:"), cli.SuccessStyle.Render(release.TagName))
if updateCheck {
if updateAvailable {
cli.Print("\n%s Update available: %s → %s\n",
cli.WarningStyle.Render("!"),
currentVersion,
release.TagName)
cli.Print("Run %s to update\n", cli.ValueStyle.Render("core update"))
}
return nil
}
// Spawn watcher before applying update
if err := spawnWatcher(); err != nil {
// If watcher fails, continue anyway - update will still work
cli.Print("%s Could not spawn restart watcher: %v\n", cli.DimStyle.Render("!"), err)
}
// Apply update
cli.Print("\n%s Downloading update...\n", cli.DimStyle.Render("→"))
downloadURL, err := GetDownloadURL(release, "")
if err != nil {
return cli.Wrap(err, "failed to get download URL")
}
if err := DoUpdate(downloadURL); err != nil {
return cli.Wrap(err, "failed to apply update")
}
cli.Print("%s Updated to %s\n", cli.SuccessStyle.Render(cli.Glyph(":check:")), release.TagName)
cli.Print("%s Restarting...\n", cli.DimStyle.Render("→"))
// Exit so the watcher can restart us
os.Exit(0)
return nil
}
// handleDevUpdate handles updates from the dev release (rolling prerelease)
func handleDevUpdate(currentVersion string) error {
client := NewGithubClient()
// Fetch the dev release directly by tag
release, err := client.GetLatestRelease(nil, repoOwner, repoName, "beta")
if err != nil {
// Try fetching the "dev" tag directly
return handleDevTagUpdate(currentVersion)
}
if release == nil {
return handleDevTagUpdate(currentVersion)
}
cli.Print("%s %s\n", cli.DimStyle.Render("Latest dev:"), cli.ValueStyle.Render(release.TagName))
if updateCheck {
cli.Print("\nRun %s to update\n", cli.ValueStyle.Render("core update --channel=dev"))
return nil
}
// Spawn watcher before applying update
if err := spawnWatcher(); err != nil {
cli.Print("%s Could not spawn restart watcher: %v\n", cli.DimStyle.Render("!"), err)
}
cli.Print("\n%s Downloading update...\n", cli.DimStyle.Render("→"))
downloadURL, err := GetDownloadURL(release, "")
if err != nil {
return cli.Wrap(err, "failed to get download URL")
}
if err := DoUpdate(downloadURL); err != nil {
return cli.Wrap(err, "failed to apply update")
}
cli.Print("%s Updated to %s\n", cli.SuccessStyle.Render(cli.Glyph(":check:")), release.TagName)
cli.Print("%s Restarting...\n", cli.DimStyle.Render("→"))
os.Exit(0)
return nil
}
// handleDevTagUpdate fetches the dev release using the direct tag
func handleDevTagUpdate(currentVersion string) error {
// Construct download URL directly for dev release
downloadURL := fmt.Sprintf(
"https://github.com/%s/%s/releases/download/dev/core-%s-%s",
repoOwner, repoName, runtime.GOOS, runtime.GOARCH,
)
if runtime.GOOS == "windows" {
downloadURL += ".exe"
}
cli.Print("%s dev (rolling)\n", cli.DimStyle.Render("Latest:"))
if updateCheck {
cli.Print("\nRun %s to update\n", cli.ValueStyle.Render("core update --channel=dev"))
return nil
}
// Spawn watcher before applying update
if err := spawnWatcher(); err != nil {
cli.Print("%s Could not spawn restart watcher: %v\n", cli.DimStyle.Render("!"), err)
}
cli.Print("\n%s Downloading from dev release...\n", cli.DimStyle.Render("→"))
if err := DoUpdate(downloadURL); err != nil {
return cli.Wrap(err, "failed to apply update")
}
cli.Print("%s Updated to latest dev build\n", cli.SuccessStyle.Render(cli.Glyph(":check:")))
cli.Print("%s Restarting...\n", cli.DimStyle.Render("→"))
os.Exit(0)
return nil
}